HITRUST CSF®

The foundation of all HITRUST® programs and services is the HITRUST CSF®, a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management.

Developed in collaboration with information security professionals, the HITRUST CSF rationalizes relevant regulations and standards into a single overarching security framework. Because the HITRUST CSF is both risk- and compliance-based, organizations can tailor the security control baselines based on a variety of factors including organization type, size, systems, and regulatory requirements.

By continuing to improve and update the framework, the HITRUST CSF has become the most widely-adopted security framework in the U.S. healthcare industry. This commitment and expertise demonstrated by HITRUST ensures that organizations leveraging the framework are prepared when new regulations and security risks are introduced.

Fundamental to HITRUST’s mission is the availability of the HITRUST CSF that provides the needed structure, clarity, functionality and cross-references to authoritative sources. The initial development of the CSF leveraged nationally and internationally accepted standards including ISO, NIST, PCI and HIPAA to ensure a comprehensive set of baseline security controls. The CSF normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance with the varied requirements that apply to organizations.

For more on understanding and leveraging the CSF, click here. For more information on leveraging the HITRUST CSF via the MyCSF tool, click here.

HITRUST CSF Version 9.1

Fundamental to HITRUST’s mission is the availability of a common information protection framework, the CSF, that provides the needed structure, clarity, functionality and cross-references to authoritative sources. The initial development of the CSF leveraged nationally and internationally accepted standards including ISO, NIST, PCI, HIPAA, and COBIT to ensure a comprehensive set of baseline security controls. The CSF normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance with these requirements that apply to healthcare organizations.

HITRUST ensures the CSF stays relevant and current to the needs of organizations by regularly updating the CSF to incorporate new standards and regulations as authoritative sources.

HITRUST CSF v9.1 Updates

HITRUST has increased its level of support for global organizational privacy programs in an interim v9.1 release of the HITRUST CSF by incorporating the European Union (EU) Regulation 2016/679, General Data Protection Regulation (GDPR), and mapping the HITRUST CSF’s privacy and security requirements to the AICPA Trust Services Criteria for Privacy.

These changes will increase applicability of the HITRUST CSF for privacy programs across multiple industries, both nationally and internationally.

HITRUST CSF Assessors

CSF Assessors are organizations that have been approved by HITRUST for performing assessments and services associated with the CSF Assurance Program and the HITRUST CSF, a comprehensive security framework that incorporates the existing security requirements of healthcare organizations. CSF Assessors are critical to HITRUST’s efforts in providing trained resources to organizations of varying sizes and the complexity to assess compliance with security control requirements as well as document corrective action plans that align with the HITRUST CSF.